Steve Foster, the Head of Solutions Engineering for MEA at Netskope, says early adopter organizations have already moved to architectures like SASE and SSE, that better support a Zero Trust approach

How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
Since its introduction as a counterpoint to the implicit trust that exists on the internet, Zero Trust has become well-recognised as a methodology requiring explicitly proven trust before access is allowed. Recently it has evolved from a singular concept into a broad set of terms used so much and so widely that it has almost lost its meaning. Our field CTO Steve Riley was actually the first person to use the phrase Zero Trust Network Access (ZTNA) – when he was an analyst at Gartner – but ZTNA has also evolved over recent years.

Originally it championed the idea of “trust nothing”, but it is now better suited to practical use, driving towards the idea of “trust nothing without adequate and continuous authorization”. Fundamentally, ZTNA takes us from the perimeter-based security model where – once you are through the perimeter – you have open access to everything, to an access model that requires users, devices, and applications to continually prove they are authorised before accessing only the specific resources they have been allowed.

Do you believe that technologies that support zero trust are moving into the mainstream?
When we see global government entities and national security organisations mandating Zero Trust architectures we know the technology is moving mainstream – and that is exactly what is happening at the moment. Two of the key technology architectures for supporting a zero-trust approach to network and application access are SASE and SSE. While traditional perimeter security tools are still available, they are an investment in legacy technologies.

Early adopter organizations have already moved to architectures like SASE and SSE, that better support a Zero Trust approach, and now we are starting to see a majority of organizations doing likewise. This is a sure sign that the technologies supporting a Zero Trust architecture are now mainstream.

Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
Enterprise IT departments are having to rethink their approach to security in a world where locking everything down is no longer an option. Users, applications, data, networks – everything was once able to be hermetically sealed against both infiltration and exfiltration, but this is no longer the case.

Security and networking architectures are all being swiftly rethought with a view to enablement rather than restriction. The question IT departments are asking themselves is; how do we provide access without losing all security, or how do we maintain security without limiting productivity? It’s that quest for balance between access and security that is the new tension.

How can companies get started with zero trust?
Zero Trust can seem like an impossibly large project, so I always suggest identifying a starting point where you can make the most impact as quickly as possible. The enterprise perimeter is where the most current risk lies, so I recommend focussing on ZTNA for access to internal resources, where micro-segmentation will prevent lateral movement between resources. Once you have implemented ZTNA, move on to other initiatives to extend a Zero Trust approach throughout your technology infrastructure. For example, pilot a remote browser isolation solution, scan all data at rest in the public cloud for external shares, and start scanning containers that your developers are creating for new apps.

Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Adopting a Zero Trust approach would be beneficial in mitigating wider cyber risks, but it is important to understand there are always limits to any security measure. With this in mind, it’s important to identify and shore up any blind spots.

Ensuring you have Multi-Factor Authentication in place and removing administrator rights on all end-user devices are good starts, but make sure you also know where your most valuable assets are, and segment them off from the wider network so you can limit any damage if there is a breach elsewhere. You could also make sure you are not exposing them to the outside (directly on the internet) instead of putting them behind a ZTNA wall which will limit what damage a cyber-attack can do.

What according to you are the limitations of zero trust?
Because Zero Trust is not a product, it can’t be bought and installed in one sitting to mitigate cyberrisks. For this reason, it is likely to be rolled out as separate projects leaving gaps that could be exploited. Unwinding existing legacy technologies as part of a migration to Zero Trust can also leave some points of exposure. These can of course be mitigated by picking the right projects to start your journey with (start small and scale slowly), while always keeping the principles of Zero Trust in mind.